Sign in with Google vs OpenID Connect: Understanding the difference

• Introduction
• Technical Relationship
• Implementation Comparison
  • Sign in with Google
  • Standard OIDC
• Authentication Flows
  • Sign in with Google Flow
  • OIDC Code Flow
• Implementation Distinctions
  • Protocol Implementation
  • Security Considerations
  • Feature Scope
• Choosing the Right Approach
• Conclusion

Introduction

Third-party authentication has become ubiquitous in modern web applications, allowing users to sign in using existing accounts from major providers. While OAuth 2.0 and OpenID Connect (OIDC) are the standard protocols for implementing such authentication, Google offers two distinct approaches - the standard OIDC implementation and Sign in with Google - whose relationship is often misunderstood. The similarity between Sign in with Google and OIDC’s implicit flow can be particularly misleading. Though they share some characteristics, such as direct ID token delivery, they are fundamentally different implementations with distinct capabilities and limitations.

This confusion is understandable. Sign in with Google’s token delivery mechanism resembles OIDC’s implicit flow (response_type=id_token), leading developers to assume it’s simply a wrapper around OIDC. However, this surface-level similarity masks significant differences in protocol implementation, security models, and available features.

Note on Documentation: Google’s own documentation states that “Sign in with Google is based on OAuth 2.0”. However, the same documentation describes it as a proprietary SDK that “aims to offer an easier and more secure experience for developers than the standard OAuth and OpenID Connect protocols”. This mixed messaging has contributed to developer confusion. While Sign in with Google might be inspired by OAuth 2.0 concepts, its actual implementation is a proprietary protocol that diverges significantly from standard OAuth 2.0/OIDC flows.

Technical Relationship

The resemblance between Sign in with Google and OIDC is apparent when examining OIDC’s implicit flow configuration:

response_type=id_token
response_mode=query

Both approaches deliver ID tokens directly to the frontend. However, this architectural similarity obscures fundamental differences in implementation, security considerations, and extensibility. While Sign in with Google provides a streamlined, Google-specific authentication solution, OIDC offers a comprehensive, standardized protocol with multiple flows and security options.

Implementation Comparison

Sign in with Google

Sign in with Google provides a simplified implementation through its Identity Services API:

// Simple initialization
google.accounts.id.initialize({
  client_id: 'YOUR_CLIENT_ID',
  callback: handleCredentialResponse,  // for popup mode
  login_uri: 'YOUR_LOGIN_URI'         // for redirect mode
});

// Callback receives:
{
  credential: "eyJhbGci..." // JWT ID token containing user information
  ...
}

The Google Sign in page (loaded either in a popup window or redirected main window) receives an ID token from /gsi/issue endpoint and then: In popup mode: passes it to the main window’s callback function via gsi_client.js In redirect mode: posts it to the specified login_uri

Standard OIDC

OIDC provides multiple implementation options, accommodating different security needs:

// Implicit Flow (Similar to Sign in with Google)
/authorize?
response_type=id_token&
response_mode=query&
client_id=...&
scope=openid profile&
redirect_uri=...&
nonce=...

// Code Flow (More secure alternative)
/authorize?
response_type=code&
client_id=...&
scope=openid profile&
redirect_uri=...&
state=...&
nonce=...

The client (on the web browser) can receive an ID token or authorization code as parameters in the redirect URL.

Authentication Flows

The flow differences reveal the architectural distinctions between these approaches. Sign in with Google implements a flow similar to OIDC’s implicit flow. However, OIDC also provides the code flow, which offers enhanced security through backend token exchange.

Sign in with Google Flow

+-------------+  1. Init Sign-in   +----------------+
|   Web App   | ---------------->  |                |
|  (Browser)  |                    |  Google Auth   |
|             | <----------------  |                |
+-------------+  2. ID token       +----------------+
       |                                   
       | 3. Send ID token                  
       | (ID token transmission
       |  through frontend)
       v                                   
+-------------+  4. Fetch         +----------------+
|  Backend    |     public jwks   |                |
|  Server     | <---------------  |  Google APIs   |
|             |                   |                |
+-------------+                   +----------------+
       |
       | 5. Validate ID token
       |  (verify signature using jwks and validate claims)
       |
       | 6. Create Session and respond to browser
       v

Sign in with Google implements a straightforward flow focused on ID token delivery. While this approach simplifies implementation, it comes with security considerations:

• Applications typically need to establish sessions with their backend servers, requiring the ID token to be transmitted from the frontend to the backend
• ID tokens contain sensitive user information and are meant for authentication
• ID tokens are not designed to be passed between different parties - they should ideally only flow from the authentication provider to the intended recipient

In contrast, authorization codes in OIDC’s code flow are specifically designed for such transmission through the frontend.

OIDC Code Flow

+-------------+  1. Init Auth      +----------------+
|   Web App   | ---------------->  |                |
|  (Browser)  |                    |  Google Auth   |
|             | <----------------  |                |
+-------------+  2. Auth Code      +----------------+
       |                                   ^
       | 3. Send Code                      |
       | (Code-only frontend               |
       |  transmission)                    |
       v                                   |
+-------------+  4. Exchange Code      +----------------+
|  Backend    | ---------------------> |                |
|   Server    | code + client_id       | Google's       |
|             |      + client_secret   | Token endpoint |
|             |                        |                |
|             | <--------------------- |                |
|             | 5. ID token +          |                |
|             |    Access token +      +----------------+
|             |    Refresh token
|             |                        +----------------+
|             |                        |                |
|             | <--------------------- | Google APIs    |
|             | 6. Fetch User info     |                |
|             |    from Google API     |                |
|             |    using access token  |                |
+-------------+                        +----------------+
       |
       | 7. Create Session and respond to browser
       v

The OIDC code flow demonstrates the protocol’s flexibility, offering enhanced security through backend token exchange and supporting additional features like refresh tokens.

Implementation Distinctions

The divergence between these approaches manifests in several key areas:

Protocol Implementation

Sign in with Google employs a proprietary implementation that, while similar to OIDC’s implicit flow, uses custom mechanisms and focuses solely on authentication. This specialization allows for a simpler developer experience but limits flexibility and provider portability.

Standard OIDC, conversely, implements a complete authentication and authorization protocol. It supports multiple flows, token types, and security models, enabling developers to choose the most appropriate approach for their specific requirements.

Security Considerations

The security models reflect different priorities. Sign in with Google optimizes for simplicity, handling tokens in the frontend with a predetermined security model. OIDC provides more options, including the secure code flow that keeps sensitive tokens server-side and supports various security configurations.

Feature Scope

Sign in with Google’s focused approach provides efficient authentication but limits additional capabilities. OIDC’s comprehensive protocol supports various authentication and authorization scenarios, multiple token types, and standardized endpoints.

Choosing the Right Approach

The selection between Sign in with Google and OIDC should be guided by specific project requirements:

Sign in with Google excels in scenarios requiring quick implementation of Google-specific authentication, particularly when additional OAuth features aren’t needed. Its simplified approach can accelerate development for straightforward authentication needs.

Standard OIDC becomes essential when projects require provider flexibility, enhanced security options, or additional OAuth features. Its standardized approach supports long-term maintainability and compliance requirements, though at the cost of increased implementation complexity.

Conclusion

While Sign in with Google shares surface similarities with OIDC’s implicit flow, understanding their distinct implementations is crucial for informed architectural decisions. The resemblance in token delivery mechanisms can mask significant differences in protocol implementation, security models, and available features.

Developers should consider carefully whether their projects benefit more from Sign in with Google’s streamlined, focused approach or OIDC’s comprehensive, standardized protocol. This decision impacts not only initial implementation but also long-term maintenance, security posture, and provider flexibility.

Remember: The similarity between Sign in with Google and OIDC’s implicit flow can be misleading. While they share some characteristics, they are different implementations with distinct capabilities and limitations.